New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
WordPress DDoS Exploit killing lighttpd php-fastcgi?
linuxthefish
Member
I've got loads of requests from wordpress pingback URL's to / on my server, and it's crashing lighttpd with mega high load! Anyone knows a fix for this?
I've tried "iptables -I INPUT -p tcp -s 0.0.0.0/0 -m string --string "Wordpress" --algo bm -j DROP" but no luck.
Last bits of my webserver log:
All from different IP's and URL's...
Comments
Yes, it is very common now. Quick fix:
chmod 000 xmlrpc.php
...will stop them for good!
It's me being hit, not by site being used to attack others
His fix will work for you, too.
http://blog.spiderlabs.com/2014/03/wordpress-xml-rpc-pingback-vulnerability-analysis.html
You can also disable pingbacks in your theme functions file:
Lol dude you are being hit on this particular file: xmlrpc.php.
Chmod 000 and let them hit at 403 forbidden!
Got that file deleted, and still no good
Give it some time.. Are you still seeing "verifying pingback" in the logs? If php processes still running like crazy let me know
Nope, still going on...
ps auxfee > /root/process.txt
Check /root/process.txt, you should have more info about php-cgi processes - details like php file that is being executed, remote ip, port, environment variables etc..
Hopefully that should help you pinpoint which script is being hit.
It looks like an HTTP DoS as opposed to a pingback attack; All requests are GET, and made to the index. Have you installed W3 Total Cache? @linuxthefish
Sorry for the quick first post, however I fixed this by switching to pm = ondemand and 100 max children (goodbye ram).
Use cloudflare, one option!
Two you could use some PHP code to exit the process for anything that has a referrer of wordpress.
cloudflare wont do anything.
Block WordPress user-agent and you will be fine.
Then you dont know cloudflare.
If wordpress != upgraded
then suspend website
Cloudflare can soak up most attacks however they're useless for Layer 7 application targeted floods, if you want nice protection you would have to either upgrade to their pro or business plan. I got fed up with Cloudflare so I used a cheap OVH VPS as a reverse proxy and that works quite well for my needs ands its been working since then.
What Cloudflare was doing was it doesn't detect the XML-RPC ping back DDoS and it passes it as a true legitimate request then Lite speed webserver thinks Cloudflare the the orgin of the flood then blocks Cloudflare which means my site is offline at that point which is a big no no.
I had the pro plan, I also think Incapsula is better than Cloudflare in many areas however nothing beats Cloudflare free for basic attacks
Just to be clear, it's not my wordpress install sending out attacks - I've got pingbacks disabled, as well as a plugin that stops it. I also updated last night before most of the attacks on my site
Have you tried Nginx with Test cookie and or rate limit requests per ip
I still suggest a simple php code or lighttpd rule that blocks a request if the http_user_agent contains wordpress
<?php if(strpos($SERVER['HTTP_USER_AGENT'], 'wordpress') !== false) { exit('bad user agent'); } ?>
Apparently it's not possible to add a rewrite rule for HTTP referer, but i'll try the above code also.
I've run into these more and more lately, a simple rule for WordPress user agent blocks it fairly well.
It doesn't look like that many IP addresses attacking you, it's relatively easy to parse your access-log for unique IPs and add them to CSF (or iptables).
I did with fail2ban, more just kept coming
Really? really? I have had this type of attack dozen of times under free and pro cloudflare accounts.
How many times were you hit? You must have been on business or enterprise package if they mitigated this.
I'm on business package and didn't feel anything on my server, I guess that they mitigated the attack
Why don't you just cache your Wordpress? Then the / index hits will be served instantly.
Cloudflare can even do this for you if you set up the rules to cache dynamic pages. I doubt you need your blog to be updated every second anyway.
I was on the free plan, never had an issue when I was hit by a few login brute force bots and such.
No comment. You do realize it is not brute-force, not even similar, right?
Brute-forcing, while having an end goal of obtaining valuable user information, still remains a type of DoS attack. Both have similar results, as a large amount of requests are made in a short period of time.
With Nginx,
and will save you precious FastCGI connections.
return 444;
Would be better
http://httpstatusdogs.com/444-no-response
Yes.....
Indeed
He isn't using Nginx, and 'if' inside nginx is BAD!